The tech industry says says it's open to a national law protecting consumer data privacy. But even after the Senate Commerce Committee spent two and a half hours questioning some of the industry's top players, there are still little clues as to what such a law might look like.

Senior leaders from Apple, Amazon, Twitter, Google, Charter Communications and AT&T offered few concrete recommendations, as my colleague Cat Zakrzewski and I reported. And their divergent data collection practices, business models and attitudes toward consumer privacy on display at the hearing highlight how complicated it’s going to be for Congress to hammer out a single, sweeping bill, let alone pass it. (Amazon.com founder and chief executive Jeffrey P. Bezos owns The Washington Post.)

Senators acknowledged they were just getting the ball rolling. “While this hearing grows out of recent concerns about consumer privacy, it is not intended to be a ‘gotcha’ hearing. Instead, it represents the beginning of an effort to inform our development of a federal privacy law that enjoys strong bipartisan support,” Commerce Committee Chairman John Thune (R-S.D.) said in the hearing. “Politics is always about timing, and I believe now is the time to begin action on this important issue.”

Here are a few takeaways about where the debate is headed:

1. Tech companies are holding their cards close for now. Calls for federal privacy legislation were prompted in large part by California’s new privacy law and Europe’s General Data Protection Regulation, which put tough restrictions on what companies can do with user data. But witnesses hedged during Wednesday’s hearing when senators asked them whether there was anything in those policies that is worth emulating nationally. The witnesses were mum except for Len Cali, AT&T’s senior vice president for global public policy, who said only that he was pleased both laws applied uniformly to all companies.

The companies also kept their criticisms of the laws very general, too. Google, for instance, said complying with GDPR had been a “tremendous challenge.” And the executives said they worried that start-ups and other small businesses could struggle with compliance costs. But overall they avoided discussing specific proposals in depth. For example, when Sen. Amy Klobuchar (D-Minn.) asked whether companies should be required to notify customers of data breaches within 72 hours, they shook their heads silently. “I’m going to take that as a no,” she said.

2. The companies agreed on broad privacy principles. The companies used the hearing to explain their companies’ privacy frameworks to lawmakers. Executives from Twitter and Apple said they viewed privacy as a “fundamental right.” And all the witnesses said they supported making their privacy policies more transparent to customers and giving users more control over what companies can do with their data. But a privacy law that applies across a broad swath of tech and telecommunications companies, each with different ways they handle customer data, is a challenge lawmakers acknowledged. “There’s often a temptation to lump technology leaders like this together, as if they are all the same,” Thune said.

3. Democrats are ready to push for an aggressive bill. A lot of Wednesday’s discussion touched on whether federal privacy legislation should supersede California’s law or any other state’s privacy policies. The witnesses agreed that it should, saying they’re concerned about having to comply with 50 separate state laws that may vary widely. Sen. Brian Schatz (D-Hawaii) said he understood their concerns, but warned them not to expect a watered-down bill. “We’re not going to get 60 votes for anything and replace a progressive California law — however flawed you may think it is — with a nonprogressive federal law,” he said.

4. Republicans seem more wary of using California and Europe as models. Sen. Jerry Moran (R-Kan.) voiced concerns about the Golden State’s privacy law and GDPR, saying “innovative and entrepreneurial businesses” could be harmed by their regulatory overhauls. Thune, too, pondered whether some of GDPR’s requirements would make it harder to launch start-ups or even discourage small companies from doing business in Europe.

5. Some lawmakers still have a lot to learn. Even though technology executives are making more regular trips to the Hill, a deep divide remains between how lawmakers and tech officials talk about privacy issues. The divergence was on display in one exchange between Sen. Jon Tester (D-Mont.) and Google Chief Privacy Officer Keith Enright. Tester held up his iPhone and told the witness it sometimes “mystifies” him. He then pressed Enright on how the company's ads work.

“I’ll get on and look for a set of tires for, say, my semi truck,” Tester said. “And, presto-chango, I might be checking scores on ESPN or weather on some other weather channel, and up comes an advertisement for tires for my truck. How the hell do they get that information?”

Enright launched into an explanation of Google's advertising platform. “I want to be very clear — we understand the complexity of the Internet ecosystem,” Enright said. “I don’t,” Tester responded.

6. Congress has yet to hear from a long list of stakeholders. There are many stakeholders who weren't at Wednesday's hearing who could shake up the debate. Consumer advocacy groups were absent, and they will be sure to fight any attempts to roll back strong state-level regulation. Big tech loves to argue that any regulation will stifle innovation, but no small companies were present to talk about whether GDPR or the California privacy law have created major burdens that hurt their businesses. Academics who study privacy and who can offer empirical evidence on these topics weren't in attendance. Though three of the big five tech giants appeared at the hearing, Facebook and Microsoft were not there, and are sure to also want to play a role in this bill. Thune said not to worry: there will be more hearings on this subject where some of these perspectives will be represented.

You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.

PINGED: President Trump on Wednesday directly accused China of interfering in the U.S. midterm elections -- but did not offer any evidence to back up his claim, The Washington Post's David Nakamura and Ellen Nakashima reported. “The president made the allegation during his opening remarks at a U.N. Security Council meeting on nonproliferation, asserting that ... 'They do not want me or us to win because I am the first president to ever challenge China on trade, and we are winning on trade — we are winning on every level.' "

The Chinese government pushed back on the accusation. “We did not and will not interfere in any countries' domestic affairs,” Chinese Foreign Minister Wang Yi said at the U.N. meeting. Trump defended the allegations later on Wednesday during a news conference. “We have evidence. It will come out. I can’t tell you now... They’ve actually admitted that they’ve gone after farmers,” Trump said, as quoted by my colleagues.

Yet Trump's top national security advisers, as David and Ellen reported, "told reporters in August they had not found specific examples of interference ahead of the midterms from countries other than Russia, though they warned it remained a possibility. In his remarks at the Security Council meeting, Trump made no mention of Russian interference, though he did say later that his administration also will not let Moscow interfere in the elections.... Trump’s remarks appear consistent with a White House strategy, devised in the immediate aftermath of his Helsinki summit with Russian President Vladimir Putin, to spread blame for election interference beyond Russia."

After Trump made the allegation, the White House quickly got a senior administration official on the phone with reporters. The official didn't offer any evidence of interference, but plenty of examples of China's propaganda and influence operations. But this is not same thing.

PATCHED: The Senate Homeland Security and Governmental Affairs Committee on Wednesday advanced a bill that would establish a Federal Acquisition Security Council to help identify potential supply-chain threats when the federal government purchases IT equipment. Speaking in support of the bill, Sen. Claire McCaskill (Mo.), the committee's ranking Democrat, said security concerns about the Russian cybersecurity company Kaspersky Lab amounted to a “wake-up call” for the federal government.

The Department of Homeland Security last year directed federal agencies of the executive branch to rid their systems of Kaspersky products. Congress later banned federal agencies from using services and products from the company; the ban is scheduled to go into effect on Oct. 1. “This bill will put in place a systemic way for federal agencies to make sure national security interests are considered during the federal contracting process,” McCaskill said. Sheintroduced the bill, called the Federal Acquisition Supply Chain Security Act of 2018, alongside Sen. James Lankford (R-Okla.) in June.

The panel adopted several other pieces of cybersecurity legislation on Wednesday, including a bill sponsored by Sen. Ron Johnson (R-Wis.), the committee's chairman, that “would give agencies authority to block websites if there’s a pressing cybersecurity need,” Nextgov's Joseph Marks reported. Under the bill, called the Federal Information Systems Safeguards Act of 2018, federal agencies could “override union objections to block employees from using personal email accounts or Facebook on work computers,” Marks reported.

PWNED: Christine Blasey Ford, a professor in California who has accused Supreme Court nominee Brett M. Kavanaugh of sexual assault when they were both teenagers, plans to tell the Senate Judiciary Committee today that her email was hacked after her identity became public. “This past Tuesday evening, my work email account was hacked and messages were sent out supposedly recanting my description of the sexual assault,” Ford plans to tell the committee, according to her prepared opening remarks. Ford also plans to say that she has received death threats and been harassed. “People have posted my personal information on the Internet,” Ford intends to tell senators. “This has resulted in additional emails, calls, and threats.”

PUBLIC KEY

The U.S. Capitol dome on July 9 in Washington. (Carolyn Kaster/AP)

— “Legislation introduced in the House Wednesday would create a stronger federal chief information officer and establishes a chain of command for some of the administration’s most important IT officials,”Nextgov's Frank Konkel reported. “The Federal CIO Authorization Act of 2018 would make the federal CIO a presidential appointee who would report directly to the Office of Management and Budget director. Currently the federal CIO reports to OMB’s deputy director for management.” The bill was introduced by Reps. Will Hurd (R-Tex.) and Robin L. Kelly (D-Ill.).

— “Researchers at Cisco's Talos have discovered that VPNfilter — the malware that prompted Federal Bureau of Investigation officials to urge people to reboot their Internet routers — carried an even bigger punch than had previously been discovered,” Ars Technica's Sean Gallagher reported Wednesday. “While researchers already found that the malware had been built with multiple types of attack modules that could be deployed to infected routers, further research uncovered seven additional modules that could have been used to exploit the networks routers were attached to, thus stealing data and creating a covert network for command and control over future attacks. The malware appeared to be primarily intended to attack Ukraine on the anniversary of the NotPetya attack, but VPNfilter was clearly built for long-term use as a network exploitation and attack platform.”

Last week, I ran an ad on Facebook that was targeted at a computer science professor named Alan Mislove. Mislove studies how privacy works on social networks and had a theory that Facebook is letting advertisers reach users with contact information collected in surprising ways.

Facebook’s $22 billion WhatsApp purchase made Brian Acton one of the richest people in America. But his idealism clashed with Mark Zuckerberg’s financial juggernaut. For the first time, Acton explains why he left.

America's promise to hack foreign countries means the Department of Defense will purchase more off the self cyber equipment.

Fifth Domain

SECURITY FAILS

An Uber car drives through LaGuardia Airport in New York on March 15, 2017. (Seth Wenig/AP)

— “Uber has agreed to pay $148 million to settle allegations from 50 states and the District that the ride-hailing company violated data breach laws when it waited a year to disclose a hack affecting tens of millions of its riders and drivers,”The Post's Brian Fung reported on Wednesday. “The settlement is among the biggest in Uber’s history and marks the first time the company has settled a matter with the top law enforcement officials from all 50 states and the District. It is the largest multistate penalty ever levied by state authorities for a data breach.”

Moreover, Uber had paid $100,000 to the hackers to stay quiet about the breach that exposed names, email addresses and phone numbers of 57 million people around the world, Brian reported. The company will have to enact several changes as part of the settlement. “Uber agreed to undergo regular third-party audits of its security practices and to set up a program allowing employees to file concerns about ethics violations they may have witnessed while on the job,” Brian wrote. “It also agreed to take precautions to safeguard any Uber data that may be held by third parties, according to New York’s attorney general’s office.”

— “The Port of San Diego said Wednesday it is investigating a highly sophisticated cybersecurity threat to its technology systems that is currently affecting the public agency’s ability to process park permits and records requests, and perform other business services,”the San Diego Union-Tribune's Jennifer Van Grove and Gary Robbins reported. “The digital assault is similar, in some ways, to a ransomware attack that was launched against the city of Atlanta in March, security analysts say.”

THE NEW WILD WEST

(Jason Alden/Bloomberg)

— "European Union lawmakers appear set this month to demand audits of Facebook by Europe’s cybersecurity agency and data protection authority in the wake of the Cambridge Analytica scandal," the Associated Press reports. "A draft resolution submitted Thursday to the EU Parliament’s civil liberties and justice committee urged Facebook to accept 'a full and independent audit of its platform investigating data protection and security of personal data.' "

Security researchers say that they have found evidence that for the first time Russia-backed hackers are now using a more sophisticated type of malware to target government entities. ESET presented its case Thursday that the hacker group, known as Fancy Bear (or APT28), is using rootkit malware to …

TechCrunch

ZERO DAYBOOK

Today

House Energy subcommittee hearing on the Energy Department's Office of Cybersecurity, Energy Security, and Emergency Response.